On 6/1/23 15:45, Jesse McConnell wrote:
> Your best bet would be to do at Greg said and capture the actual request
> failing on the wire using wireshark or tcpdump, or get a
> HttpChannel.Listener[1] set up in the server so you can see what is
> happening there.
I do not have access to the private key for the TLS certificate.
Even if I did, I have found that Wireshark cannot decrypt HTTPS if a
modern cipher is being used. Solr 9 requires at least Java 11, and that
is the version being used. I would expect Java 11, Jetty Server 9, and
Jetty client 10 to be utilizing a modern cipher. Browser connections to
Solr are using TLS 1.2 with the cipher named
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384.
This has been possible in Wireshark since 2016 and its support for the SSLKEYLOGFILE format.
You'll need this from either the User Agent (Browser / HttpClient) or the Server for success.
Unfortunately Java doesn't export this file by default.
The output from `javax.net.debug` has the information, but not in the correct SSLKEYLOGFILE format that Wireshark needs.
You can, instead, use a Java Agent (on the client side) to export this information automatically for you.
- Joakim
